Puppet’s 2019 State of DevOps Report highlight security integration into DevOps practices result into higher business outcome

On Wednesday, Puppet announced the findings of its eighth annual State of DevOps Report. This report reveals practices and patterns that can help organisations in integrating security into the software development lifecycle.

As per Puppet’s 2019 State of DevOps Report, 22% of the firms at the highest level of security integration has reached an advanced stage of DevOps maturity, while 6% of the firms are without security integration.

While talking about the firms with an overall ‘significant to full’ integration status, according to the report findings, Europe is ahead of the Asia Pacific regions and the US with 43% in contrast to 38% or less.

Alanna Brown, Senior Director of Community and Developer Relations at Puppet and author of the State of DevOps report, said, “The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes. Organisations that are serious about improving their security practices and posture should start by adopting DevOps practices.”

Brown added, “This year’s report affirms our belief that organisations who ignore or deprioritise DevOps, are the same companies who have the lowest level of security integration and who will be hit the hardest in the case of a breach.”

Key findings of State of the DevOps Report 2019

According to the report, firms that are at the highest level of security integration can deploy to production on-demand at a higher rate as compared to firms at all other levels of integration. Currently, 61% of firms are able to do so and while comparing with organisations that have not integrated security at all, less than half (49%) can deploy on-demand.

According to 82% of survey respondents at firms with the highest level of security integration, security practices and policies to improve their firm’s security posture. While comparing this with respondents at firms without security integration, only 38% had the level of confidence.

Firms that are integrating security throughout their lifecycle are more than twice as likely to stop a push to production for a medium security vulnerability.

In the middle stages of evolution of security integration, delivery and security teams experience higher friction while collaborating where software delivery slows down and the audit issues increase. The report findings state that friction is higher for respondents who work in security jobs than those who work in non-security jobs. But if they continue working, they will get the results of their hard work faster.

Hypothesis on remediation time

As per the hypothesis, just 7% of the total respondents can remediate a critical vulnerability in less than an hour.

32% of the total respondents can remediate in one hour to less than one day.

33% of the total respondents can remediate in one day to less than one week.

Stahnke added, “What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organisation’s security posture. Turns out, empathy and trust aren’t automatable.”

Factors responsible for the success of an organizational structure to be DevOps ready

The flexibility of the current organizational structure.

The organizational culture.

How isolated the different functions are.

Skillsets of your team.

The relationship between team leaders and teams.

Best practices for improving security posture

Development and security teams collaborate on threat models.

Security tools are integrated in the development integration pipeline such that the engineers feel confident that they are not involving any known security problems into their codebases.

Security requirements, both functional as well as non-functional should be prioritised as part of the product backlog.

Security experts should evaluate automated tests and review changes in high-risk areas of the code like cryptography, authentication systems, etc.

Before the deployment, infrastructure-related security policies should be reviewed.

Plato added, “While the report outlines many problems, it also highlights the gains that arise when DevOps and security are fully integrated. These benefits include increased security effectiveness, more robust risk management, and tighter alignment of business and security goals. These insights mirror our experiences at Anitian implementing our security automation platform. We are proud to be a sponsor of the State of DevOps report as well as a technology partner with Puppet. We anticipate referencing this report regularly in our engagement with our customers as well as the DevOps and security communities.”

To summarize, organizations that are focusing on improving their security posture and practices should adopt DevOps practices just as the organizations at the highest levels of DevOps acceptance have fully integrated security practices.